[ 
https://issues.apache.org/jira/browse/YARN-6930?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16118300#comment-16118300
 ] 

Shane Kumpf commented on YARN-6930:
-----------------------------------

Thanks for the comments, [~miklos.szeg...@cloudera.com]. I will get those 
assertions added.

{quote}
I am wondering whether it would be a good idea to specify the user as well not 
just enabling a runtime in general. I could imagine that an admin allows Docker 
runtime only for specific users first...
{quote}

I think there could be value in an ACL model for container runtimes, however, 
there are additional issues regarding user squashing that need to be addressed 
before the feature is very useful. Let's address that in a different issue if 
that works for you?

I'll also note that there are differences in implementation between the Java 
Sandbox and Docker runtimes, so I have not changed the behavior of the existing 
runtime selection with this patch. One of the considerations when developing 
the docker runtime was the ability to control the runtime per container as 
opposed to per application/cluster; i.e. AM's run as regular process based 
containers, while map and reduce task containers run using the docker runtime. 
The java sandbox based runtime takes a different approach and is enabled 
through configuration. This may be appropriate for the java sandbox runtime, 
but I don't want to change the way the docker runtime selection works today, 
which is why I decided not to introduce the docker-mode config and instead 
check the allowed runtimes after selection.

> Admins should be able to explicitly enable specific LinuxContainerRuntime in 
> the NodeManager
> --------------------------------------------------------------------------------------------
>
>                 Key: YARN-6930
>                 URL: https://issues.apache.org/jira/browse/YARN-6930
>             Project: Hadoop YARN
>          Issue Type: Improvement
>          Components: nodemanager
>            Reporter: Vinod Kumar Vavilapalli
>            Assignee: Shane Kumpf
>         Attachments: YARN-6930.001.patch
>
>
> Today, in the java land, all LinuxContainerRuntimes are always enabled when 
> using LinuxContainerExecutor and the user can simply invoke anything that 
> he/she wants - default, docker, java-sandbox.
> We should have a way for admins to explicitly enable only specific runtimes 
> that he/she decides for the cluster. And by default, we should have 
> everything other than the default one disabled.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org

Reply via email to